topic Re: FTD and policy based routing in Network Security

FTD and policy based routing

Chess Norris — Thu, 08 Sep 2022 07:54:50 GMT

Hello,

We have a FTD running version 7.0.2 and use PBR based on source networks and route the traffic to different gateways.

It work great for outbound traffic, but we also publish a server on the internet and for some reason PBR don't work and we cannot reach the server. Instead the return traffic is using the default gateway and not the one specified in the route map.

Both the inside and the outside interface are included in the PBR and the ACL that we use for the outside interface, have source any and the the server address on the inside as destination. I also tried to put the translated address as destination, but that didn't help either.

Here's some of the output from the packet-tracer, where we can se it uses the wrong interface and therefore get dropped.

Phase: 7
Type: SUBOPTIMAL-LOOKUP
Subtype: suboptimal next-hop
Result: ALLOW
Config:
Additional Information:
Input route lookup returned ifc Outside is not same as existing ifc Outside2

Result:
input-interface: Inside_2(vrfid:0)
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-adjacency) No valid adjacency, Drop-location: frame 0x000055ce0b4fd15c flow (NA)/NA

Any ideas on what could be wrong?

Thanks

/Chess

Re: FTD and policy based routing

MHM Cisco World — Thu, 08 Sep 2022 11:15:19 GMT

share the NAT you use in FTD

Re: FTD and policy based routing

Marvin Rhoads — Thu, 08 Sep 2022 12:18:58 GMT

As @MHM Cisco World is implying, your NAT rule is the most likely culprit. If the server's static NAT is on the outside interface (vs. Outside2), then it won't work.

Re: FTD and policy based routing

dbogdan — Mon, 12 Sep 2022 14:40:15 GMT

I have the same issue. I am using dynamic NAT to two different ISPs. The Nat statements are in the order of the Outside, then Ourside2. It never thakes that path even by deleting the route to the outside interface gateway

Re: FTD and policy based routing

dbogdan — Mon, 12 Sep 2022 14:42:49 GMT

here's my nat statements:

nat (Inside,Outside) after-auto source dynamic Any_Any interface destination static Any_Any Any_Any
nat (Inside,Micronova) after-auto source dynamic Any_Any interface destination static Any_Any Any_Any

Re: FTD and policy based routing

dbogdan — Mon, 12 Sep 2022 14:44:58 GMT

Also adding that this setup works perfectly on an ASA configured like an ASA, not as an FTD.

Re: FTD and policy based routing

dbogdan — Mon, 12 Sep 2022 18:04:02 GMT

The solution is a follows:

1. do not add both interfaces in the same zone. create an Outside zone and an Outside 2 zone.

2. set up autonat twice. One for using two different object names that are 0.0.0.0/0 (any)

example:

object network Any_Any
nat (Inside,Outside) dynamic interface
object network any4
nat (Inside,Outside2) dynamic interface

Re: FTD and policy based routing

alirafaleiro — Thu, 29 Sep 2022 08:30:30 GMT

Cisco Firepower Threat Defense (FTD) is a unified software image, which includes the Cisco ASA features and FirePOWER Services. This unified software is capable of offering the function of ASA and FirePOWER in one platform, both in terms of hardware and software features.

The Policy-Based Routing feature is a process whereby a device puts packets through a route map before routing the packets. The route map determines which packets are routed next to which device. Policy-based routing is a more flexible mechanism for routing packets than destination routing.